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Abstract 

Authentication is a well-studied area of classical cryptography: a sender A and a receiver B sharing a 
classical private key want to exchange a classical message with the guarantee that the message has not 
been modified or replaced by a dishonest party with control of the communication line. In this paper we 
study the authentication of messages composed of quantum states. 

We give a formal definition of authentication in the quantum setting. Assuming A and B have access 
to an insecure quantum channel and share a private, classical random key, we provide a non-interactive 
scheme that both enables A to encrypt and authenticate (with unconditional security) an m qubit message 
by encoding it into m + s qubits, where the probability decreases exponentially in the security parameter 
s. The scheme requires a private key of size 2m + O(s). To achieve this, we give a highly efficient 
protocol for testing the purity of shared EPR pairs. 

It has long been known that learning information about a general quantum state will necessarily 
disturb it. We refine this result to show that such a disturbance can be done with few side effects, 
allowing it to circumvent cryptographic protections. Consequently, any scheme to authenticate quantum 
messages must also encrypt them. In contrast, no such constraint exists classically: authentication and 
encryption are independent tasks, and one can authenticate a message while leaving it publicly readable. 

This reasoning has two important consequences: On one hand, it allows us to give a lower bound of 
2m key bits for authenticating m qubits, which makes our protocol asymptotically optimal. On the other 
hand, we use it to show that digitally signing quantum states is impossible, even with only computational 
security. 
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1 Introduction 



Until recently, the expression "quantum cryptography" referred mostly to quantum key distribution protocols 
[§, I], |l3| |. However, these words now refer to a larger set of problems. While QKD and many other quantum 
protocols attempt to provide improved security for tasks involving classical information, an emerging area of 
quantum cryptography attempts instead to create secure protocols for tasks involving quantum information. 
One standard cryptographic task is the authentication of messages: A transmits some information to B 
over an insecure channel, and they wish to be sure that it has not been tampered with en route. When the 
message is classical, and A and B share a random private key, this problem can be solved by, for instance, 



the Wegman-Carter scheme [12]. In this paper, we discuss the analogous question for quantum messages. 



A naive approach If we assume A and B share a private quantum key in the form of m EPR pairs, 
as well as some private classical key, there is a straightforward solution to this problem: A simply uses 
quantum teleportation [^] to send her message to Bob, authenticating the 2m classical bits transmitted in 
the teleportation protocol. If A and B initially share only a classical key, however, the task is more difficult. 
We start with a simple approach: first distribute EPR pairs (which might get corrupted in transit), and then 
use entanglement purification [f7|] to establish clean pairs for teleportation. This can be improved: we do not 
need a full-scale entanglement purification protocol, which produces good EPR pairs even if the channel is 
noisy; instead we only need something we call a purity testing protocol, which checks that EPR pairs are 
correct, but does not attempt to repair them in case of error. 

Unfortunately, any such protocol will have to be interactive, since A must first send some qubits to Band 
then wait for confirmation of receipt before completing the transmission. This is unsuitable for situations 
in which a message is stored and must be checked for authenticity at a later time. Also, this interactive 
protocol achieves something stronger than what is required of a quantum authentication scheme: at the end 
of the purity-testing based scheme, both Alice and Bob know that the transmission was successful, whereas 
for authentication, we only require that Bob knows. 

Contributions In this paper we study non-interactive quantum authentication schemes with classical keys. 
Our primary contributions are: 

• Formal definition of authentication for quantum states 

In classical authentication, one simply limits the probability that the adversary can make any change 
to the state without detection. This condition is too stringent for quantum information, where we only 
require high fidelity to the original state. We state our definition in terms of the transmission of pure 
states (section ||), but also show that the same definition implies security for mixed or entangled states. 

• Construction of efficient purity testing protocols 

We show how to create purity-testing protocols using families of quantum error-correcting codes with 
a particular covering property, namely that any Pauli error is detected by most of the codes in the 
family. We construct an efficient such family based on projective geometry, yielding a purity-testing 
protocol requiring only O(s) (classical) bits of communication, where s is the security parameter 
(section f|). 

Purity-testing codes have not explicitly appeared before in the literature, but have been present im- 



plicitly in earlier work, for instance \ \15[ |19Q . To prove our purity-testing protocols secure, we use 



a "quantum-to-classical" reduction, due to Lo and Chau [|15|]. Subsequently to our work, Ambai- 
nis, Smith, and Yang [||] used our construction of purity-testing protocols in a study of more general 
entanglement extraction procedures. 
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Construction of non-interactive quantum authentication schemes (QAS) 

We show that a secure non-interactive QAS can be constructed from any purity-testing protocol de- 
rived, as above, from QECCs (section |5|). In particular, for our family of codes, we obtain an authen- 
tication scheme which requires sending m + s qubits, and consuming 2m + O(s) bits of classical 



key for a message of m qubits. The proof techniques in the Shor and Preskill paper [19] serve as 



inspiration for the transformation from an interactive purity-testing protocol to a non-interactive QAS. 

• Study of the relation between encryption and authentication 

One feature of our authentication protocol is that it completely encrypts the quantum message being 
sent. We show that this is a necessary feature of any QAS(section |6|), in striking contrast to the situa- 
tion for classical information, where common authentication schemes leave the message completely 
intelligible. It therefore follows that any authentication protocol for an m-qubit message must use 
nearly 2m bits of classical key, enough to encrypt the message. The protocol we present approaches 
this bound asymptotically. 

• Impossibility of digitally signing quantum states 

Since authentication requires encryption, it is impossible to create digital signature schemes for quan- 
tum messages: any protocol which allows one recipient to read a message also allows him or her to 
modify it without risk of detection, and therefore all potential recipients of an authenticated message 
must be trustworthy (section ^). This conclusion holds true even if we require only computation- 
ally secure digital signatures. Note that this does not in any way preclude the possibility of signing 
classical messages with or without quantum states [|l4|]. 

Why should we prefer a scheme with classical keys to a scheme with entangled quantum keys? The task 
of authenticating quantum data is only useful in a scenario where quantum information can be reliably stored, 
manipulated, and transmitted over communication lines, so it would not be unreasonable to assume quantum 
keys. However, many manipulations are easier with classical keys. Certainly, the technology for storing and 
manipulating them is already available, but there are additional advantages. Consider, for example, public 
key cryptography; it is possible to sign and encrypt classical key bits with public key systems, but signing a 
general quantum state is impossible. Thus, quantum keys would be unsuitable for an asymmetric quantum 



authentication scheme such as the one we describe in section 5.1 



2 Preliminaries 

2.1 Classical Authentication 

In the classical setting, an authentication scheme is defined by a pair of functions A : K, x M — > C and 
B:/CxC->Mx {valid, invalid} such that for any message \i G M and key k G K we have completeness 

B k {A k (n)) = (/i, valid) 

and that for any opponent algorithm O, we have soundness 

Prob {B k (0{A k {fi))) G {(/x, valid)} U {(//, invalid) |// G M}} > 1 - 2~ m 

where t = lg #C — lg #M is the security parameter creating the tradeoff between the expansion of the 
messages and the security level. Note that we only consider information-theoretically secure schemes, not 
schemes that are based on computational assumptions. 
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Wegman and Carter [12] introduced several constructions for such schemes; their most efficient uses 
keys of size only 4(i + lglgm) lgm and achieves security 1 — 2~ t+2 . This compares rather well to the 



known lower bound of t + lgm — lg £ for such a result [12]. The same work also introduced a technique 
to re-use an authentication function several times by using one-time-pad encryption on the tag, so that an 
opponent cannot learn anything about the particular key being used by A and B. Thus, at a marginal cost 
of only t secret key bits per authentication, the confidentiality of the authentication function h is guaranteed 
and thus may be re-used (a polynomial number of times). 

For the remainder of this paper, we assume the reader is familiar with the basic notions and notation of 
quantum computing. These can be found in textbooks such as [|(J|. Since we rely heavily on terminology 
and techniques from quantum error correction (especially stabilizer codes), appendix |A| provides a summary 
of the relevant notions. 



2.2 Purification and purity testing 

Quantum error-correcting codes (QECCs) may be used for entanglement purification ([0]). In this setting, 
A and B share some Bell states (say |<E> + ) = |00) + | 11)) which have been corrupted by transmission through 
a noisy quantum channel. They want a protocol which processes these imperfect EPR pairs and produces 
a smaller number of higher-quality pairs. We assume that A and B have access to an authenticated, public 
classical channel. At the end of the protocol, they either accept or reject based on any inconsistencies 
they have observed. As long as A and B have a noticeable probability of accepting, then conditioned on 
accepting, the state they share should have fidelity almost 1 to the pure state |$+}® m . Moreover, small 
amounts of noise in their initial shared state should not cause failure of the protocol. 

Stabilizer codes can be particularly useful for purification because of the following observation: for any 
stabilizer code Q, if we measure the syndrome of one half of a set of Bell states |$+)® n and obtain the 
result y, then the result is the state |<3>+)® m , with each of its two halves encoded in the coset with syndrome 
y. (Moreover, in this case the distribution on y is uniform.) If the original state is erroneous, A and B will 
likely find different syndromes, which will differ by the syndrome associated with the actual error. 

Most purification protocols based on stabilizer codes require efficient error correction; we measure the 
syndrome, and use that information to efficiently restore the encoded state. However, one can imagine a 
weaker task in which Alice and Bob only want to test their EPR pairs for purity, i.e. they want a guarantee 
that if their pairs pass the test, their shared state will probably be close to |<I> + )®"\ In that case, we can use 
the code for error detection, not correction, and need only be able to encode and decode efficiently from the 
space Q. 



2.3 Encryption of Quantum Messages 

A useful ingredient for much recent work in quantum cryptography is the concept of quantum teleportation, 
put forward by Bennett et al [gj. After A and B have shared a singlet state, A can later secretly send a single 
qubit in an arbitrary quantum state p to B by measuring her half of the singlet state together with her state p 
in the Bell basis to get two classical bits bo, b\. As a result, i5's half of the singlet state will become one of 
four possibilities p' := a b z ° a bl pa bl a b z ° . If A sends bo, b\, then B can easily recover p. 

Now without the bits bo,b\, the state p' reveals no information about p. Thus, one can turn this into an 
encryption scheme which uses only a classical key: after A and B have secretly shared two classical bits 
bo, b\, A can later secretly send a single qubit in an arbitrary quantum state p to B by sending him a qubit 
in state p' as above. This is called a quantum one-time pad (QOTP). This scheme is optimal [jjj any 
quantum encryption (with a classical key) must use 2 bits of key for every transmitted qubit. 
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3 Quantum Authentication 



At an intuitive level, a quantum authentication scheme is a keyed system which allows A to send a state p 
to B with a guarantee: if B accepts the received state as "good", the fidelity of that state to p is almost 1. 
Moreover, if the adversary makes no changes, B should always accept, and the fidelity should be exactly 1. 

Of course, this informal definition is impossible to attain. The adversary might always replace .A's 
transmitted message with a completely mixed state. There would nonetheless be a small probability that B 
would accept, but even when he did accept, the fidelity of the received state to A's initial state would be 
very low. 

The problem here is that we are conditioning on ,6's acceptance of the received state; this causes trouble 
if the adversary's a priori chances of cheating are high. A more reasonable definition would require a tradeoff 
between £>'s chances of accepting, and the expected fidelity of the received system to .A's initial state given 
his acceptance: as £>'s chance of accepting increases, so should the expected fidelity. 

It turns out that there is no reason to use both the language of probability and that of fidelity here: 
for classical tests, fidelity and probability of acceptance coincide. With this in mind we first define what 
constitutes a quantum authentication scheme, and then give a definition of security: 

Definition 1 A quantum authentication scheme ( Q AS ) is a pair of polynomial time quantum algorithms A 
and B together with a set of classical keys 1C such that: 

• A takes as input an m-qubit message system M and a key k £ K, and outputs a transmitted system T 
of m + t qubits. 

• B takes as input the (possibly altered) transmitted system T' and a classical key k £ 1C and out- 
puts two systems: a m-qubit message state M, and a single qubit V which indicates acceptance or 
rejection. The classical basis states ofV are called |ACC), |rej) by convention. 

For any fixed key k, we denote the corresponding super-operators by A/% and B^. 

Note that B may well have measured the qubit V to see whether or not the transmission was accepted or 
rejected. Nonetheless, we think of V as a qubit rather than a classical bit since it will allow us to describe 
the joint state of the two systems M, V with a density matrix. 

There are two conditions which should be met by a quantum authentication protocol. On the one hand, 
in the absence of intervention, the received state should be the same as the initial state and B should accept. 

On the other hand, we want that when the adversary does intervene, £>'s output systems have high fidelity 
to the statement "either B rejects or his received state is the same as that sent by A". One difficulty with this 
is that it is not clear what is meant by "the same state" when A's input is a mixed state. It turns out that it is 
sufficient to define security in terms of pure states; one can deduce an appropriate statement about fidelity 
of mixed states (see Appendix |b|). 

Given a pure state |^) £ Hm, consider the following test on the joint system M, V: output a 1 if the 
first m qubits are in state \tp) or if the last qubit is in state |rej) (otherwise, output a 0). The projectors 
corresponding to this measurement are 



We want that for all possible input states \ip) and for all possible interventions by the adversary, the expected 
fidelity of B's output to the space defined by is high. This is captured in the following definition of 
security. 




\ip)(ip\ Iv + Im ® |rej)(ret 
(Im-MM)®(|acc)(acc|) 



<8> |rej)(rej 
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Definition 2 A QAS is secure with error efor a state if it satisfies: 



Completeness: For all keys k G K: B k (A k (\ip)(tp\)) = \tp){ip\ (8> |acc)(acc| 

Soundness: For all super-operators O, let pBob be the state output by B when the adversary's intervention^ 
is characterized by O, that is: 



PBob = E k B k (0(A k (W)(i>\))) =—Y^B k (0(A k (\iP)(iP\))) 



where " M k " means the expectation when k is chosen uniformly at random from 1C. The QAS has 
soundness error efor if: 



A QAS is secure with error e if it is secure with error efor all states 

Note that our definition of completeness assumes that the channel connecting A to B is noiseless in 
the absence of the adversary's intervention. This is in fact not a significant problem, as we can simulate a 
noiseless channel using standard quantum error correction. 

Interactive protocols In the previous section, we dealt only with non-interactive quantum authentication 
schemes, since that is both the most natural notion, and the one we achieve in this paper. However, there is 
no reason to rule out interactive protocols in which A and B at the end believe they have reliably exhanged a 
quantum message. The definitions of completeness and soundness extend naturally to this setting: as before, 
B's final output is a pair of systems M, V, where the state space of V is spanned by |acc), |rej). In that 
case pBob is £>' s density matrix at the end of the protocol, averaged over all possible choices of shared private 
key and executions of the protocol. The soundness error is e, where Tr ( Pi pBob ) > 1 — £■ 



4 Purity Testing Codes 

An important tool in our proof is the notion of a purity testing code, which is a way for A and B to ensure 
that they share (almost) perfect EPR pairs. We shall concentrate on purity testing codes based on stabilizer 
QECCs. 

Definition 3 A stabilizer purity testing code with error e is a set of stabilizer codes {Q k }, for k E KL, such 
thatME x G E with x / 0, #{k\x E Q k - Q k } < e(#/C). 

That is, for any error x in the error group, if k is chosen later at random, the probability that the code Q k 
detects x is at least 1 — e. 

Definition 4 A purity testing protocol with error e is a superoperator T which can be implemented with 
local operations and classical communicaiton, and which maps 2n qubits (half held by A and half held by 
B) to 2m + 1 qubits and satisfies the following two conditions: 





Completeness: T(|$+)® n ) = |3>+)® m ® |acc) 



We make no assumptions on the running time of the adversary. 
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Soundness: Let P be the projection on the subspace spanned by \<& + )® m <g> |acc) and \ip) |rej) for all 
Then T satisfies the soundness condition if for all p, 



Tr (PT(p)) > 1-e. 



The obvious way of constructing a purity testing protocol T is to start with a purity testing code {Qk}- 
When Alice and Bob are given the state p, Alice chooses a random k G /C and tells it to Bob. They both 
measure the syndrome of Qk and compare. If the syndromes are the same, they accept and perform the 
decoding procedure for Qk', otherwise they reject. 

Proposition 1 If the purity testing code {Qk} has error e, then T is a purity testing protocol with error e. 
The proof appears in Appendix ^. 



4.1 An Efficient Purity Testing Code 

Now we will give an example of a particularly efficient purity testing code. We will use the stabilizer 
techniques of section restricting to the case n = rs. We will construct a set of codes Qk each encoding 
m = (r — l)s qubits in n qubits, and show that the Qk form a purity testing code. (Note that the construction 
below works just as well if instead of qubits, we use registers with dimension equal to any prime power; 
see appendix |D]for details.) Using qubits in groups of s allows us to view our field GF(2 2rs ) as both a 2r- 
dimensional vector space over GF(2 S ) and a 2rs-dimensional binary vector space. We need a symplectic 
form that is compatible with this decomposition. One possibility is 

B(x,y):=Tv(xy 2rs ) 1 (1) 

where Tr(z) = X^i=o~ 1 ^ * s tne standard trace function, which maps GF(2 2rs ) onto GF{2). 

We consider a normal rational curve in PG(2r — 1,2 s ) (the projective geometry whose points are the 
1-d subspaces of the 2r-dimensional vector space over GF(2 S )). (See, e.g., the excellent introductory text 
[§].) Such a curve is given by: 

T = {[1 : y : y 2 : ■ ■ ■ : y 2r ~\ [0 : : : • • • : l]}„ eGF(2 .). (2) 

(The colon is used to separate the coordinates of a projective point, indicating that only their ratio matters.) 
Thus, there are 2 s + 1 points on the normal rational curve. 

Since each "point" of this curve is actually a one-dimensional subspace over GF(2 S ), it can also be 
considered as an s-dimensional binary subspace Qk in a vector space of dimension 2rs = 2n. We will show 
that Qk is totally isotropic with respect to the symplectic inner product ([[]), and encodes m = n — s qubits 
in n qubits. 



Theorem 2 The set of codes Qkform a stabilizer purity testing code with error 

_ 2r 
6 ~ 2 s + 1 ' 

Each code Qk encodes m = (r — l)s qubits in n = rs qubits. 
Proof of this is in Appendix [d|. 



(3) 
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5 Protocols 



In this section we describe a secure non-interactive quantum authentication scheme (Protocol 5.2) which 
satisfies the definition of section |3| 

In order to prove our scheme secure, we begin with a purity testing protocol as per Section ^| (sum- 
marized as Protocol |5.l[ ). The security of this protocol follows from Prop. [|. We then perform several 
transformations to the protocol that strictly preserve its security and goals but which remove the interaction, 
replacing it with a shared private key. We thus obtain two less interactive intermediate protocols (Protocols 



|E. 1| and E.2 ) and a final protocol (Protocol 5.2 ), which is completely non-interactive. The transformations 



are similar in flavor to those of Shor and Preskill [19], who use the technique to obtain a simple proof of the 



security of a completely different task, namely the BB84 [|5|] quantum key exchange scheme. 



Protocol 5.1 ( Purity Testing Based Protocol ) 

1: A and B agree on some stabilizer purity testing code {Qk} 

2: A generates In qubits in state |$+)® n . A sends the first half of each state to B. 
3: B announces that he has received the n qubits. 
4: A picks a random k € K, and announces it to B. 

5: A and B measure the syndrome of the stabilizer code Qk- A announces her results to B who compares 
them to his own results. If any error is detected, B aborts. 

6: A and B decode their n-qubit words according to Qk- Each is left with m qubits, which together should be 
nearly in state |$+)® m . 

7: A uses her half of \<& + )® m to teleport an arbitrary m-qubit state p to B. 



Following the notation of Section [|, let P be the projector onto the subspace described by "either B 
has aborted or the joint state held by A and B is |$ + )® m ". Let pab be the joint density matrix of A and 
B's systems. Then Prop, [j] states that at the end of step 6, Tt(Ppab) is exponentially close to 1 in n. The 
soundness of our first authentication protocol follows immediately: 



Corollary 3 If A and B are connected by an authenticated classical channel, then Protocol 5.1 is a secure 
interactive quantum authentication protocol, with soundness error exponentially small in n. 

The proof is straightforward; we give it explicitly in Appendix |e| 



Theorem 4 When the purity testing code {Qk} has error e, the protocol 5.2 is a secure quantum authenti- 
cation scheme with key length 0(n + log 2 (#/C)) and soundness error e. In particular, for the purity testing 
code described in Section the authentication scheme has key length 2m + s + log 2 (2 s + 1) < 2n + 1 and 
soundness error 2n/[s(2 s + 1)], where m is the length of the message in qubits, s is the security parameter, 
and A sends a total ofn = m + s qubits. 



Proof: From Corollary || we have that Protocol 5A is a secure interactive authentication protocol. We show 



that Protocol 5.2 is equivalent to Protocol 5.1 , in the sense that any attack on Protocol 5.2 implies an equally 
succesful attack on Protocol 5A. To do so, we proceed by a series of reductions; the details appear in 
Appendix ^. 
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Protocol 5.2 ( Non-interactive authentication ) 

1: Preprocessing: A and B agree on some stabilizer purity testing code {Qk} and some private and random 
binary strings k, x, and y. 

2: A q-encrypts pas t using key x. A encodes r according to Qkfor the code Qk with syndrome y to produce 
a. A sends the result to B. 

3: B receives the n qubits. Denote the received state by a' . B measures the syndrome y' of the code Qk on his 
qubits. B compares y to y' , and aborts if any error is detected. B decodes his n-qubit word according to 
Qk, obtaining t'. B q-decrypts r 1 using x and obtains p' . 



5.1 Public Key Quantum Authentication 

Unlike its classical counterpart, quantum information can be authenticated in a public key setting but not in 
a way that can be demonstrated to a judge. In section |6[ we show the impossibility of a digital signature 
scheme for quantum information; here, we instead introduce the notion of public key quantum authentica- 
tion. 

Let Eh, Dfj be £>'s public and private keyed algorithms to a PKC resistant to quantum computers' attacks. 
Let S a , V a be .A's private and public keyed algorithms to a digital signature scheme resistant to quantum 
computers' attacks. These may be either be protocols which are secure with respect to a computational 



assumption Q17p or with unconditional security [J14J]. To perform authentication, A picks secret and random 
binary strings k, x, and y, and uses them as keys to q-authenticate p as p' . A encrypts and signs the key 
as a := S a (Eb(k\x\y)). A sends (p',a) to B. To verify a state, B verifies .A's signature on a using V a 
and then discovers the key k, x and y using his private decryption function D^. B checks that p' is a valid 
q-authenticated message according to key k, x, y, and recovers p. 



6 Good Authentication Implies Good Encryption 

One notable feature of any protocol derived using Theorem |] is that the information being authenticated 
is also completely encrypted. For classical information, authentication and encryption can be considered 
completely separately, but in this section we will show that quantum information is different. While quantum 
states can be encrypted without any form of authentication, the converse is not true: any scheme which 
guarantees authenticity must also encrypt the quantum state almost perfectly. 

To show this, let us consider any fixed authentication scheme. Denote by pu\ the density matrix trans- 
mitted in this scheme when Alice's input is \tp). Let denote the density matrix for key k. 

Definition 5 An encryption scheme with error efor quantum states hides information so that if po and p\ 
are any two distinct encrypted states, then the trace distance D(po, pi) = ^Tr \po — p\\ < e. 

We claim that any good QAS must necessarily also be a good encryption scheme. That is: 

Theorem 5 (Main Lower Bound) A QAS with error e is an encryption scheme with error at most 46 1 / 6 . 



Corollary 6 A QAS with error e requires at least 2m(l — poly(e)) classical key bits. 
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We prove this corollary in Appendix |F]. For now, we concentrate on the Theorem |5| 
The intuition behind the proof of this main theorem is that measurement disturbs quantum states, so if 
the adversary can learn information about the state, she can change the state. More precisely, if the adversary 
can distinguish between two states |0) and |1), she can change the state |0) + |1) to |0) — |1). An extreme 
version of this situation is contained in the following proposition: 

Proposition 7 Suppose that there are two states |0), |1) whose corresponding density matrices pi \, p\\\ are 
perfectly distinguishable. Then the scheme is not an e-secure Q AS for any e < 1. 

Proof: Since p\ \, can be distinguished, they must have orthogonal support, say on subspaces Vq, V\. So 

(k) 

consider an adversary who applies a phaseshift of —1 conditioned on being in V\. Then for all k, pW + ^\ 
becomes p$uy Thus, Bob will decode the (orthogonal) state |0) — |1). □ 

However, in general, the adversary cannot exactly distinguish two states, so we must allow some proba- 
bility of failure. Note that it is sufficient in general to consider two encoded pure states, since any two mixed 
states can be written as ensembles of pure states, and the mixed states are distinguishable only if some 
pair of pure states are. Furthermore, we might as well let the two pure states be orthogonal, since if two 
nonorthogonal states l^o) an d \ ipi) w& distinguishable, two basis states |0) and |1) for the space spanned by 
|V>o) and \ipi) are at least as distinguishable. 

Given the space limitations of this abstract, we outline the proof with a sequence of lemmas, whose 
proofs are contained in Appendix |]. 

We first consider the case when |0) and |1) can almost perfectly be distinguished. In that case, the 
adversary can change |0) + |1) to |0) — |1) with high (but not perfect) fidelity (stated formally in Lemma 



16[ ). When |0) and 1 1) are more similar, we first magnify the difference between them by repeatedly encoding 



the same state in multiple copies of the authentication scheme, then apply the above argument. 

Lemma 8 Suppose that there are two states |0),|1) such that D(p^, P|i)) > 1 — r]. Then the scheme is not 
e-secure for \ip) = |0) + |1) for any e < 1 — 2rj. 

When two states can be distinguished, but only just barely, the above lemma is not sufficient. Instead, 
we must magnify the distinguishability of the states |0) and |1) by repeating them by considering the tensor 
product of many copies of the same state. The probability of distinguishing then goes to 1 exponentially fast 
in the number of copies: 

Lemma 9 Let p , p\ be density matrices with D(p ,pi) = 5. Then D{p® t , pf *) > 1 — 2 exp(— 15 2 /2). 

We create these repeated states by encoding them in an iterated QAS consisting of t copies of the original 
QAS (with independent values of the key for each copy). 

Lemma 10 Suppose we iterate the scheme t times. Let = -^(|000...0) + 1 1 1 1 ... 1) ). If {A, B, K) is an 
e-secure QAS, then the iterated scheme is Wt 3 e-secure for the state 

Note that the proof of this lemma goes through the following crucial claim, which follows from a simple 
hybrid argument. 

Claim 11 (Product states) The iterated scheme is te-secure for any product state. 



9 



Putting the various lemmas together, we find that, given two states |0) and |1) which are slightly distin- 
guishable by the adversary, so D(po,Pi) > then in the iterated scheme, |000...0) and 1 11] 1) are more 

distinguishable: -D(p|ooo...o}> P|m...i}) > 1 ~~ 7 ?» where t] < 2 exp(— tS 2 /2). Since the iterated scheme is 
10t 3 e-secure for the state \tp) = -±=(|000...0) + 1 111...1)), then by the first lemma, 

10t 3 e > 1 - 2r? > 1 - 4exp(-M 2 /2) 
Choosing t = l/\/We, we get 5 < Ae 1 ^. 

7 Quantum Signatures 

One consequence of the previous theorem is that digitally signing quantum messages is impossible. One 
can imagine more than one way of defining this task, but any reasonable definition must allow a recipient — 
who should not be able to alter signed messages — to learn something about the contents of the message. 
However, this is precisely what is forbidden by the previous theorem: in an information-theoretic setting, 
any adversary who can gain a non-trivial amount of information must be able to modify the authenticated 
state with non-negligible success. 

If we consider computationally secure schemes, a somewhat narrower definition of digitally signing 
quantum states remains impossible to realize. If we assume a quantum digital signature protocol should 
allow any recipient to efficiently extract the original message, then a simple argument shows that he can also 
efficiently change it without being detected, contradicting the security of the scheme. Namely: Assume that 
there is transformation U with a small circuit which extracts the original message p, leaving auxiliary state 
\(p) (which may not all be held by Bob). In order to preserve any entanglement between p and a reference 
system, the auxiliary state \ip) must be independent of p. Therefore, Bob can replace p with any other state 
p' and then perform W on p' and his portion of \ip), producing a valid signature for p' . This is an efficient 
procedure: the circuit for is just the circuit for U executed backwards. 

Note that we have actually shown a somewhat stronger result: it is not possible, even when the sender 
is known to be honest, to authenticate a quantum message to a group of receivers (some of whom may be 
dishonest). This presentation also makes some limitations of our proof clear. For instance, the proof does 
not apply if the sender knows the identity of the quantum state he is signing, nor does it apply to signing 
classical messages. 

8 Discussion and Conclusion 

An interesting feature of our scheme: if the transmission quantum channel is not error free, we can modify 
our scheme to take advantage of the error-correction capability of the quantum code. More precisely, if B 
rejects only when the number of observed errors is too large then error correction will fix natural noise or 
tampering of small amplitude. 

We have examined various aspects of the problem of authenticating quantum messages. We have shown 
the security of a large class of private-key quantum authentication schemes, and presented a particular highly 
efficient scheme from that class. One feature of the scheme is that it completely encrypts the message, and 
we show that this is a necessary feature of any quantum message authentication code: if any observer can 
learn a substantial amount of information about the authenticated state, that observer also has a good chance 
of successfully changing the state without being detected. We have also studied authentication of quantum 
states in a public key context, and shown that while authentication is possible with public keys, digitally 
signing quantum states is never possible, even when only computational security is required. 
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The necessity for encryption is rather surprising, given that classical messages can be authenticated with- 
out encrypting them. The difference can be understood as a complementarity feature of quantum mechanics: 
authenticating a message in one basis requires encrypting it in the complementary Fourier-transformed ba- 
sis. This is essentially another realization of the principle that measuring data in one basis disturbs it in 
any complementary basis. For classical messages, therefore, encryption is not required: only one basis is 
relevant. In contrast, for quantum messages, we require authentication in all bases and therefore we must 
also require encryption in all bases. 

Note that purity-testing codes have many applications beyond QAS. For instance, the efficient purity- 
testing code of section || can be used to create a correspondingly efficient QKD protocol. 
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A Quantum Stabilizer Codes 

A quantum error-correcting code (QECC) is a way of encoding quantum data (say m qubits) into n qubits 
(m < n) such that the encoded data is protected from errors of small weight: the code is said to correct t 
errors if any operator which affects less than t qubits of the encoding can be corrected without disturbing 
the encoded state. Usually the goal in the construction of codes is to maximize this minimum distance for 
particular m, n. However, in this paper, we use the theory developed for those purposes to construct families 
of codes with a different type of property. For now, we review the necessary theory on a very general class 
of codes known as stabilizer codes. 

Our construction is based on a class of QECCs for g-dimensional registers, with q = p n a prime power 
(later we will specialize to the case where p = 2, so each register consists of n qubits). A basis for the 
set of all operators on the p-dimensional Hilbert space is the "shift/phase" error basis on p-dimensional 
Hilbert space, defined via E a i } = X a Z b , where (i\X\j) = 5ij+i, (i\Z\j) = C$i,j » f° r £ = exp(27ri/p) 
a primitive pth root of unity, are the standard-basis matrix elements of the "shift by one" and "ramp the 
phase by one" operators. (Here, indices are in Z p .) This basis has a simple multiplication rule: E a \,E a ty = 
£ a b E a+a i fi+y . Thus, {£, c E a b} is a group containing a basis for the whole operator space for one register. If 
we have n registers, we can simply use the tensor product Eofn copies of this operator group; each element 
corresponds to a 2n-dimensional vector, and the vectors x = (a|b), y = (a'|b') come from commuting 
operators iff their symplectic inner product is in Z p : 

E x E y = E y E x B(x,y) = a' • b - a • b' = 0. (4) 

A stabilizer code is a QECC given by an Abelian subgroup S of E, which does not contain any multiples of 
the identity other than I itself. S can be described by the set of 2n-dimensional vectors x such that E x € S. 
This will be a subspace of Z 2n . Moreover, it will be totally isotropic, i.e. B(x, y) = for all x, y in the 
subspace. If we take a set of generators for S, we can divide Hilbert space into a set of equidimensional 
orthogonal subspaces. Each such space T consists of common eigenvectors of all operators of S having a 
fixed pattern of eigenvalues, unique to T. The space with all eigenvalues +1 is the "code space," its elements 
are "codewords," and the orthogonal spaces are labelled by "syndromes." 

Note that one can also view B(-,-) as a symplectic form over GF(p 2n ), by choosing a set of generators 
for GF(p 2n ) as a vector space over Z p . By choosing different sets of generators for GF{p 2n ) as a vector 
space over Z p , we can get different symplectic forms B(-, •) over this finite vector space. By judicious choice 
of the generators, one can make B(-,-) correspond to any non-degenerate symplectic form over GF(p 2n ). 
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Undetectable errors We can classify errors which lie in E into three categories: The errors corresponding 
to elements of Q are not truly errors — they leave the codewords unchanged. Errors which fail to commute 
with some element of Q move codewords into a subspace orthogonal to the code, so can be detected by the 
QECC. The remaining errors, those which commute with all elements in S but are not themselves in S, are 
the undetectable errors of the code. Thus, if Q 1 - is the space of vectors y for which B(x, y) = for all 
x G Q, the set of undetectable errors is just Q 1 - — Q. 

Syndromes Note that specifying the subgroup 5 by a set Q of elements of GF(p 2n ) isn't quite enough: 
operators differing by a phase £ c correspond to the same field element, but yield different QECC's in the 
Hilbert space. Given an s-dimensional totally isotropic subspace of Z^™, there are p s possible choices of 
phases for the group S, which produce p s different QECCs. However, all these codes have identical error 
correction properties. The corresponding code subspaces are all orthogonal and of the same dimension p n ~ s . 
These codes are known as cosets of the code S, defined as the standard choice with all phases equal to 1.Q 
The choice of phases is known as the syndrome (because errors outside S 1 - map the code into a different 
coset, and the syndrome therefore gives information about which error occurred). Measuring the syndrome 
projects a quantum state into one of these codes. 



B Alternative Security Definition 

The definition of security of an authentication scheme given in Section ^appears at first sight to have a major 
shortcoming: it does not tell what happens when .A's input is a mixed state. Intuitively, this should not be 
a problem, since one expects security to extend from pure states to mixed states more or less by linearity. 
Indeed, this is the case, but it is not entirely clear what is meant by security when A's input is a mixed state 
p. One straightforward approach is to add a reference system R, and to assume the joint system of A and 
R is always pure; then the requirement is that the final state of B and R should high fidelity to the initial 
state. We could also use the following informal definition, which we will show is implied by Definition |2|: 
as long as ,6's probability of acceptance is significant, then when he accepts, the fidelity of the message state 
he outputs to „4's original state should be almost 1. 

Proposition 12 Suppose that (A, B, fC) is a e-secure QAS. Let p be the density matrix of A's input state 
and let p' be the density matrix output by B conditioned on accepting the transmission as valid. Then if B 's 
probability of accepting is p aC c> the fidelity of p to p' is bounded below. For any p and any adversary action 
O, we have: F(p, p') > 1 - 

v ' ' J Pace 

In particular, if e is negligible and p acc is non-negligible, then the fidelity of B's state to A's input state 
will be essentially 1 . 



To prove this, we first restate Proposition 12 more formally. Let psob be the state of A's two output 
systems M, V when A's input is p. Denote the projector onto the space of accepting states by II, that is 

n = I M <8> |acc)(acc|. 

Using this notation, £>'s probability of accepting is p acc = Tr(np^ fe), and the density matrix of the 
joint system M, V conditioned on acceptance is p acc = ^q^ 1 ^ = n ^^ n . 

Now since p acc has been restricted to the cases where B accepts, we can write p acc = p 1 (g) |acc)(acc|, 
where p' is the density matrix of B's message system conditioned on his acceptance of the transmission as 
valid. From the definition of fidelity, we can see that 

F(p,p') = F(p(g> |ACC)(ACC|, p acc ) 
2 Actually, the "standard" coset also depends on the selection of a basis of generators for S. 
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We can now restate the theorem: 
Claim (Proposition |2|): F(p ® |acc)(acc|, p acc ) > 1 

Pacc 

Proof (of Theorem 12): Write p = Pil^i) f° r some orthonormal basis {(V'i)}- For each i, let pi be 
i3's output when A uses input |V>i)- We have psof, = J2iPiPi- 

For each i, let Pi = \ipi)(ijji\ ® |acc)(acc| and let Qj = (Jm - l^i}^!) ® |acc)(acc| so that 
/', • Q, II. 

Now we can write p <g> |acc)(acc| = J2iPiPi> an ^ /°acc = p!f~ ' ^ ^ e concavity of fidelity 

(Theorem 9.7 of [|l6|]), we get 

F(p® |ACC)(ACC|, Pacc ) = F fcftfl, ^^^) > £ p . F ( fl> ( 5 ) 

V » i Pacc ) i v Pacc J 

The formula for fidelity for one-dimensional projectors is simple: for a projector P and any density matrix 
cr, we have F(P, a) = v /Tr(P<r). Thus expression (g) simplifies to 



Using the fact that ILPjll = Pi, we can further simplify this: 



'TV(P iPi 



Pace 

Since Tr ^ P ' p ^ is always less than 1, we can obtain a lower bound by removing the square root sign: 

F(p®\ACC)(ACC\, Pacc ) > E ^ Tr(P * A) (6) 

Pace 

Now the acceptance probability p acc = Tr(UpBob) can be written as J^iPi^i^Pi)- Using the fact that 
n = Pi + Qi we get that p acc = (£. Pi Tr (ify*)) + (E^Tr 

But by the definition of e-security, we know that for each i, we have Tr (QiPi) < e, and so p acc < 
Q^PiTr (PiPi)) + e, and so we get (YliPi^ (Pi Pi)) — Pace — £• Applying this observation to expression 
(§), we get : 

F(p®\ACC){ACC\, Pacc ) > P^—l = 1- — 

Pace Pacc 

□ 



C Proof of Proposition [I] 

Proposition [I] states that a stabilizer purity testing code can always be used to produce a purity testing 
protocol with the same error e. 

Proof: If A and B are given n EPR pairs, this procedure will always accept, and the output will always be 
\<& + )® m . Thus, T satisfies the completeness condition. 

Suppose for the moment that the input state is (E x (g) 7)|<3? + )® n , for E x E E, x ^ 0. Then when k is 
chosen at random, there is only probability e that x G Q^r — Qfe. If x ^ Q^, then .A and B will find different 
error syndromes, and therefore reject the state. If x G Q^r, then A and ,8 will accept the state, but if x £ Qk, 
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then the output state will be \& + )® m anyway. Thus, the probability that A and B will accept an incorrect 
state is at most e. 

To prove the soundness condition, we can use this fact and a technique of Lo and Chau [15]. The states 
(E x /)|cj> + )® n form the Bell basis for the Hilbert space of A and B. Suppose a nonlocal third party first 
measured the input state p in the Bell basis; call this measurement B. Then the argument of the previous 
paragraph would apply to show the soundness condition. In fact, it would be sufficient if Alice and Bob used 
the nonlocal measurement Qk®Qk which compares the Q^-syndromes for A and B without measuring them 
precisely. This is a submeasurement of the Bell measurement B — that is, it gives no additional information 
about the state. Therefore it commutes with B, so the sequence B followed by Qf, (g) Qk is the same as 
Qk &> Qk followed by B, which therefore gives probability at least 1 — e of success for general input states p. 
But if the state after Qk ® Qk gives, from a Bell measurement, \§ + )® m or |rej) with probability 1 — e, then 
the state itself must have fidelity 1 — e to the projection P. Therefore, the measurement Qk ® Qk without B 
satisfies the soundness condition. Moreover, A and S's actual procedure T is a refinement of Qk <8> Qk — that 
is, it gathers strictly more information. Therefore, it also satisfies the soundness condition, and T is a purity 
testing protocol with error e. 

□ 



D Analysis of Purity-Testing Code Construction 



It is straightforward to extend the purity testing code defined in Section \.\ to arbitrary finite fields GF(q). 
To do so, we work over a global field GF{q 2rs ) and break it down into both a 2r-dimensional vector space 
over GF{q s ) and a 2rs-dimensional vector space over GF(q). We exploit this by defining our GF{2)- 
valued symplectic form B via a choice of a CF((7 s )-valued symplectic form C on GF(q 2rs ) and a non-null 
linear map L : GF{q s ) — ► GF(q), where linearity is defined by viewing GF(q s ) as an s-dimensional vector 
space over GF(q). Then 

B(x,y) :=L(C(x,y)) . (7) 

Bilinearity and alternation of B are obvious. For fixed y(x), by C's nondegeneracy there is a z such that 
C(z, y)(C(x, z)) ^ 0. Considering az in place of z, for all scalars a G GF(2 S ), and still holding y(x) 
fixed, shows (by bilinearity of C) that C(x,y) takes all values in GF(q s ) as x(y) is varied; by non-nullity 
of L, not all of these can map to zero, i.e. B is nondegenerate. 

The definition of the purity testing code {Qk} is then the same as in the binary case. 

Theorem 13 The set of codes Qkform a stabilizer purity testing code with error 

2r 



(8) 



q s + 1 

Each code Qk encodes m = (r — l)s dimension q registers in n = rs registers. 

We must show (a) that Qk is totally isotropic, and (b) that the error probability is at most e. 

(a) For a,p£ GF{2 S ), we have 

B(ax, py) = L(C(ax, (iy)) = L(a(3C(x, y)) . (9) 

Fix an x E Qk — {0}. Every y £ Qk may be written as ax, for some a £ GF(q s ). Now C(x, x) = 0. So, 
B(ax, fix) = 0, i.e., Qk is totally isotropic under the symplectic form B. 
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(b) We must find, for an arbitrary error E x (which can be described via a 2n-dimensional GF(q) vector 
x), an upper bound on the number of — Qk it can belong to. It will be sufficient to bound the number 
of Qj: the error can belong to, since \Qk\ is small compared to \Qu \ in our context, x G Qj: means 
B(x, y) = for all y G Qk- By choice of s linearly independent y G Qk this imposes s linearly independent 
linear equations on x. We will show below that if we take any 2r codes Qk defined by points on T, and 
take s independent vectors from each, the resulting set of 2rs vectors is linearly independent. Thus if E x is 
undetectable in 2r such codes, this imposes the dimension's worth (2rs) of linearly independent equations 
on x. Consequently, E x must be detectable in all the remaining codes, i.e., E x can satisfy x G Qj: for at 
most 2r values of k, when Qk are chosen among the q s + 1 available s-dimensional spaces corresponding 
to points on T. Thus, the {Qk} form a purity testing code with error 

2r 

e < "TTT • (10) 
q s + 1 

We now show the claimed property of codes defined by T. A set of points in a projective geometry of 
dimension d— 1 are said to be in general position if any d (= dimension of the underlying vector space, when, 
as in our case, such exists) of them are linearly independent. The points on the normal rational curve T are 
in general position, and indeed a maximal set of such points. (To verify that they are in general position 
one shows that for any 2r points on the curve, the determinant of the matrix of their coordinates is nonzero; 
these are Vandermonde determinants.) That is, any 2r points on T are linearly independent. Each point k on 
T corresponds to an s-dimensional code Qk, consisting of 2rs-dimensional vectors. Let z be any nonzero 
element of Qk- As a ranges over GF(q s ), az ranges over all vectors in Qf,. Thus, if any vector from Qk is 
a linear combination of vectors from other codes {Qj}, than all of Qk is also a linear combination of vectors 
from {Qj}, and k is linearly dependent on the points {j} of T. So if we take any 2r codes Qk, and take s 
independent vectors from each, the resulting set of 2rs vectors is linearly independent. 



E Proof of secure authentication 

Corollary || states that the interactive authentication protocol ^j] is secure. 
Proof ( of Corollary [|): 

The completeness of the protocol can be seen by inspection: in the absence of intervention, A and B 
will share the Bell states |<[> + )® m at the end of step 6 and so after the teleportation in step 7 £>'s output will 
be exactly the input of A. 

To prove soundness, suppose that «4's input is a pure state \ip). Intuitively, at the end of step 6, A and B 
share something very close to |$+)® m , and so after the teleportation in step 7 either S's output will be very 
close to .A's input, or he will reject because of interference from the adversary. 

More formally, after step 6, the joint state pab satisfies Tv(Ppab ) > 1 — e. At this point, by assumption 
the only thing that the adversary can do is attempt to jam the communication between A and B. Thus the 
effect of step 7 will be to map the subspace given by P into the subspace given by P^ . Consequently, at 
the end of the protocol, £>'s output density matrix will indeed lie almost completely in the subspace defined 
by P^ ] . 

□ 



Theorem ^ states that the non-interactive Protocol |5]2]is secure. To prove this, we show that Protocol 5.1 
is equivalent to 5^2, by moving through two intermediate protocols ET and ^2|. We reduce the security of 
each protocol to the previous one; since Protocol 5. 1 is secure by Corollary [| the theorem follows 



Protocol |TT] — > Protocol |E.1| : We obtain protocol ^j]by observing that in protocol A can 



perform all of her operations (except for the transmissions) before she actually sends anything to B, since 
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Protocol E.l ( Intermediate Protocol I ) 

1: A and B agree on some stabilizer purity testing code {Qk} 

2: A generates 2n qubits in state |$+)® n . A picks at random k G }C, and measures the syndrome y of the 
stabilizer code Qk on the first half of the EPR pairs. A decodes her n-qubit word according to Qk. A 
performs the Bell measurement to start teleportation with her state p, using the decoded state as if it were 
half of \$> + ) pairs, but does not yet reveal the measurement results x of the teleportation. A sends the 
second half of each EPR pair to B. 

3: B announces that he has received the n qubits. Denote the received state by a'. 

4: A announces k and the syndrome y ofQk to B. 

5: B measures the syndrome y' of Qk on his n qubits. B compares the syndrome y' to y. If they are different, 
B aborts. B decodes his n-qubit word according to Qk- 

6: A concludes the teleportation by sending the teleportation measurement results x from step 2. B does his 
part of the teleportation and obtains p'. 



Protocol E.2 ( Intermediate Protocol II ) 

1: A and B agree on some stabilizer purity testing code {Qk} 

2: A choses a random In bit key x and q-encrypts p as r using x. A picks a random k G K, and syndrome s 
for the code Qk and encodes r according to Qk- A sends the result to B. 

3: B announces that he has received the n qubits. Denote the received state by a'. 

4: A announces k, x, and y to B. 

5: B measures the syndrome y' of the code Qk- B compares y to y', and aborts if they are different. B decodes 
his n-qubit word according to Qk, obtaining r'. B q-decrypts r' using x and obtains p'. 



these actions do not depend on £>'s feedback. This will not change any of the states transmitted in the 
protocol or computed by Bob, and so both completeness and soundness will remain the same. 

Protocol fc. 1| — > Protocol |E.2| : There are two changes between Protocols |Ej] and |R2[ First, note 
that measuring the first qubit of a state |$ + ) and obtaining a random bit Cj is equivalent to choosing c,, 
at random and preparing the pure state |cj) (g) |c;). Therefore, instead of preparing the state and 
measuring the syndrome of half of it, A may as well choose the syndromes s at random and encode both 
halves of the state |$+)® m using the code Qk and the syndrome s. 

Second, rather than teleporting her state ptoB using the EPR halves which were encoded in Q S1)S2 , A 
can encrypt p using a quantum one-time pad (QOTP) and send it to B directly, further encoded in Qk- These 
behaviours are equivalent since either way, the encoded state is a* 1 a* 2 pal 2 a* 1 , where t\ and are random 
n-bit vectors. 

Protocol 



— * PROTOCOL |5.2| : In Protocol p.2| , all the random choices of A are replaced with the 
bits taken from a secret random key shared only by her and B. This eliminates the need for an authenticated 
classical channel, and for any interaction in the protocol. This transformation can only increase the security 
of the protocol as it simply removes the adversary's ability to jam the classical communication. □ 
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F Proofs from Section g 



Theorem 14 (Main Lower Bound) A QAS with error e is an encryption scheme with error at most 4e 1 / 6 . 

To get a sense of the proof, consider the following proposition: 

Proposition 15 Suppose that there are two states |0), |1) whose corresponding density matrices p\o),p\i) 
are perfectly distinguishable. Then the scheme is not an e-secure QAS for any e < 1. 

Proof: Since p\ \, pu\ can be distinguished, they must have orthogonal support, say on subspaces Vq, V\. So 

(k) 

consider an adversary who applies a phaseshift of —1 conditioned on being in V\. Then for all k, p} \ + ^\ 
becomes p^j^y Thus, Bob will decode the (orthogonal) state |0) — |1). □ 

However, in general, the adversary cannot exactly distinguish two states, so we must allow some proba- 
bility of failure. Note that it is sufficient in general to consider two encoded pure states, since any two mixed 
states can be written as ensembles of pure states, and the mixed states are distinguishable only if some 
pair of pure states are. Furthermore, we might as well let the two pure states be orthogonal, since if two 
nonorthogonal states l^o) and are distinguishable, two basis states |0) and |1) for the space spanned by 
\ipo) and are at least as distinguishable. 

We first consider the case when |0) and |1) can almost perfectly be distinguished. In that case, the 
adversary can change |0) + |1) to |0) — |1) with high (but not perfect) fidelity (stated formally in Lemma 



16[ ). When |0) and 1 1) are more similar, we first magnify the difference between them by repeatedly encoding 



the same state in multiple copies of the authentication scheme, then apply the above argument. 

Lemma 16 Suppose that there are two states |0), |1) such that D(pi \,p|i\) > 1 — r]. Then the scheme is 
not e-secure for = |0) + |1) for any e < 1 — 2rj. 

Proof (of Lemma |/6|): Let po = p\ Q \ and p\ = pu\. Consider the Hermitian matrix a = po — p\. We can 
diagonalize a. Let Vq be the space spanned by eigenvectors with non-negative eigenvalues and let V\ be the 
orthogonal complement. 

Since l/2Tr|cr| > 1 — 77, but Tra = 0, we know that Ti(V Q a) = -Tr(Vicr) > I-77. Thus, Tr(V p ) > 
Ti(V a) > 1 - 77. Similarly, Tr(Vipi) > -Tr(Vicr) > 1 - 77. 

Consider an adversary who applies a phaseshift of —1 conditioned on being in V\. Fix a particular key 

k. Let po = Tr ( VqPqJ and p\ = Tr (Vip^^j . We know that the expected values of po and p\ are both at 
least 1 — rj. 

Claim 17 When the input state is 4|(|0} + |1}), the fidelity of Bob's output to the state — ^(|0) — |1))|acc) 
is at least po + p\ — 1. 

Proof: Consider some reference system R which allows us to purify the states p^ , p\' to the states |0) , 1 1) . 
Let be the image of ^(|0) + |1)) under the adversary's conditional phaseshift. 

We want to show that is close to a correct encoding of ^j(|0) — |1)), i.e. close to 
i=(|0) - |1)) = ^(V \0) + Vi|6) - Fo|l) - Fll)). 



After the transformation, we obtain 



^(Fo|6)-y 1 |6) + y |i>-F|i>). 
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Thus, 



|-L(|0)-|1)) = i «0|Vb|0> — <0|X^|0> — <l|Vb|l> -H <1|T^|1> 
— <0|Vb|l> + <1| Vb|0> + (0|n|l) - (IlFxlO)) 
= \ (Tr{y,pf ) - Tr(vJ k) ) - Tr(V oP [ k) ) + Tr^) 

<6|Vb|i> - <i|Vb|5>] + [<6|Fi|i) - (i\Vx\6) 

We can substitute for the first line in terms of po and p\ , which are real. The second line is purely imaginary. 
Thus, 



1 



M^=(|0>-|1)) 



> \ bo - (l-Po) - (1 - Pi) +Pi] =Po+Pi- 1. 



Bob's decoding can only increase the fidelity of the two states, as can discarding the reference system, prov- 
ing the claim. □ 

Thus, for a specific value k of the key, F(p <yk \ ^(|0) — |1))|acc)) > po + p\ — 1, where p( k > is 
the output after the adversary's transformation when the input is ^(|0) + |1)). Fidelity is concave, so by 

Jensen's inequality the fidelity of the average density matrix p = Ylk * s at ^ east *- ne avera § e °f tne 
fidelities for each k. That is, 

F(p, -L(|0) - |1»|ACC)) > ^ ^(p + Pi ~ 1) > 1 - 277- 



In other words, the adversary can change the state 775 (|0) + |1)) with probability at least 1 — 2r/. 



□ 



When two states can be distinguished, but only just barely, the above lemma is not sufficient. Instead, 
we must magnify the distinguishability of the states |0) and |1) by repeating them by considering the tensor 
product of many copies of the same state. The probability of distinguishing then goes to 1 exponentially fast 
in the number of copies: 

Lemma 18 Let po, p\ be density matrices with D(po,pi) = 5. Then D{p ( Q t , pf f ) > 1 — 2 exp(— 15 2 /2). 



Proof (of Lemma 18): We can bound D(pQ t , pf ) by giving a test which distinguishes them very well. We 
know there exists a measurement given by spaces Vq, V\ such that Tr(Vopo) — Tr(^oPi) = 8. Consider the 
test which performs this measurement on t independent copies of po or p\ . The test outputs if more than 
(Tr(VoPo) + Tr(^ / b/0i))/2 of the measurements produce 0. 

By the Chernoff bound, the probability that this test will make the wrong guess is at most exp(— 15 2 /2). 



Thus, D{p®\pf) > 1 - 2exp(-t<5 2 /2). 



□ 



We create these repeated states by encoding them in an iterated QAS consisting of t copies of the original 
QAS (with independent values of the key for each copy). 

Lemma 19 Suppose we iterate the scheme t times. Let \if>) = ^=(|000...0) + |lll...l)). If (A, B, JC) is an 
e-secure QAS, then the iterated scheme is 10t 3 e-secure for the state 

Note that the proof of this lemma goes through the following crucial claim, which follows from a simple 
hybrid argument. 
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Claim 20 (Product states) The iterated scheme is te-secure for any product state. 



Proof (of Claim |20|).- For simplicity we prove the claim for the state |000...0). The same proof works for 
any product pure state (and in fact for separable states in general). 

Intuitively, an adversary who modifies the state |000...0) must change some component of the state. We 
can formalize this by rewriting the projector p^ 000 - ) m terms of the individual projectors Pq°K 

For the case t = 2, Bob accepts only if he finds the verification qubits for both schemes in the accept 
state. 

Pd 00> = (/ mim2 -|OO)(OO|)0|ACC 1 )(ACCi|®|ACC 2 )(ACC 2 | 

\l mi - |0)<0|) ® I m2 + I mi ® (/ma " |0> <0|) - (J mi - |0> <0|) ® (I m2 - |0> <0|) 

|acci)(acci| tg> |acc 2 )(acc 2 | 





Pf 1 ® |ACC 2 )(ACC 2 | + Pf 2 ® |ACCi)(ACCi| - P' 0>1 ® Pf 2 



Since Pq ^ 1 ® P(j ^ 2 is positive, for all p, we have 

Tr(pl° 0> p) < Tr(pl 0> V) + Tr(pl 0> V) < 2e 
Similarly, for larger values of t we have 

,|000...0> 



Tr(pl° 00 - 0) p)<^Tr(pl 0) »<t e 



i=i 



Thus the iterated scheme is te-secure for |000...0) (and in fact for all product states). □ 



Proof (of Lemma |/9p.- Consider the net superoperator due to encoding, decoding, and the adversary's inter- 
vention, i.e. O ne t = Ylk BkOadvAk- By introducing an ancilla system R, we can extend this superop- 
erator to a linear transformation on the joint system M ® R <8> V (where M is the message system and V is 
Bob's verifcation qubit). For a pure state \ip), write its image as 

|V)|7h/>>)|ACC) + |%>|REJ) + |<5|^))|ACC) 

where |#ua) is a joint state of MR which is orthogonal to the subspace \ip) ® R. 

Now consider the family of states = | 000. -.0 and let I'y-i) = lT|Vi>) an( ^ l<^) = l^*})- 

i t—i 

Claim 21 For alii = 0, ...,t- 1, we have |||(|7i+l) - |7i))|| < (1 + V2)Vte 

Proof: Fix i. Note that \ip+) = ^GV'i+l) + iV'i)) is a product state (with H\0) in one position), as is 
\ip_) = 4=(|i/>i4-i) - The image of \ip + ) can be written 

-^((l^+i>l7<+i> + l^i)l7i))|ACC) + (\5 i+ i) + \5i))\ACc) + + |A))|Rej; 

= (\1>+)\(hi+i) + h)) + l^->2(l7i+i> - h)) + + I*))) |acc) 



+ IA))|rej) 
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Now we know that || |<5j) || 2 < te for alH (since | ji) is a product state). Thus, ||4j(|<^i+i) + |^})|| < V2te. 
Moreover, \ip+) is a product state and so we have 

|||^->|(|^+i> - h)) + ^(l^+i) + < v^te 

Thus, ||^_)^(|7i+l> " |7<»ll = Ill(l7i+l) " l7i»ll < (1 + V2)VTe. □ 

Then by the triangle inequality, ||±(| 7t ) - | 7o ))|| < (1 + y/5)ty/ii Let |* ± ) = -^(\ipt) ± lV>o»- The 
image of = -^(|000...0) + 1 is: 

(l*+>5(|Tt) + l7o)) + |*-}^(|7*) " l7o» + -^(\S t ) + |*>») |ACC) 
+ -i=(|A) + |/3o))|REJ) 

Now the trace of this state with Pq^ + ^ is the square of 

lll*->^(b*) " l7o» + j=(\&t) + \So))\\ < Ill*-)^(l7t> - |7o))|| + \\^(\St) + \6o))\\ 

< (1 + V2)tVte + V2te 

< Vl0t 3 e, 

where in the last line, we have assumed t > 2. That is, the iterated scheme is 10i 3 e-secure for | V I / +). □ 

Putting the various lemmas together, we find that, given two states |0) and |1) which are slightly distin- 
guishable by the adversary, so D(po, p\) > 5, then in the iterated scheme, |000...0) and 1 11] 1) are more 

distinguishable: O(piooo...o)> Plill.-.l)) ^ 1 — r /» where rj < 2 exp(— 15 2 /2). Since the iterated scheme is 
10t 3 e-secure for the state \ip) = -^(|000...0) + 1 111...1) ), then by the first lemma, 

10t 3 e > 1 - 2rj > 1 - 4exp(-t<5 2 /2) 
Choosing t = 1/v^Oe, we get 5 < 4e 1/6 . 

Corollary 22 A QAS with error e requires at least 2m(l — poly(e)) classical key bits. 

Proof ( of Corollary |6|).- The argument is similar to the argument that 2m bits of key are required for perfect 
encryption. We show that transmitting the key through a channel allows the transmission of almost 2m bits 
of information. 

We can consider four subsystems, two held by Alice and two held by Bob. Bob holds both halves of m 
Bell states (the subsystems B\ and B2), except that B\ has been encrypted by a key k (subsystem K) held 
by Alice. Alice also holds R, a purification of the other three systems. 

Using superdense coding, Bob's two systems B\ and B2 can encode 2m classical bits of information. 
In order to recover that information, Bob needs Alice's key (system K). Since the encryption is not perfect, 
however, Bob may have a small amount of information about the encoded state. 

Let us imagine that Bob's systems initially encode the classical message 000. ..0. Suppose Alice wishes 
to send Bob the message M. Since the encryption is almost perfect, Bob's two density matrices /9b(000...0) 
and ps(M) are almost indistinguishable. Therefore, by the argument proving bit commitment is impossible, 
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Alice can change the pure state corresponding to encrypted 000. ..0 to something very close to the pure state 
corresponding to encrypted M. 

If Alice now sends K to Bob, he is able to (almost always) decode the message M. His failure proba- 
bility is a polynomial in e, so he has received 2m(l — poly(e)) bits of information, and therefore K must 
consist of at least 2m(l — poly{e)) classical bits or half as many qubits. 

In fact, K might as well be classical: Bob's decoding method will be to immediately measure K, since 
he is expecting a classical key, and therefore Alice might as well have measured K before sending it; natu- 
rally, this actually means she includes entangled qubits in the purification R. We thus restrict K to classical 
bits and prove the corollary. □ 
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